[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Tue Jul 29 08:00:17 MDT 2014
I understand the basics of Kerberos, but the reason that I am asking is
because I have dozens of S4 servers in production environments and have
never had to create the keytab you mentioned. They all just worked.
Now, I do not mind modifying my pam settings as I have done on loads of
Linux workstations which are joined to an AD domain, but how would I
prevent the login of users? I have a home directory and cannot remove
it, so there is technically a place for their home directories. In
Windows I would simply modify group policy to deny logon, but we both
know Linux knows nothing of a GPO. So without removing "/home", how
would I prevent login?
My plan now is to modify pam first, then if needed, do the keytab.
On 07/29/2014 09:22 AM, Rowland Penny wrote:
> On 29/07/14 14:01, Ryan Ashley wrote:
>> I do not have libpam-krb5 installed, nor have I ever had it installed
>> anywhere, on any system. I also do not modify pam settings because I
>> do not want users being able to log into the servers if one decided
>> to be malicious. Currently each server only has the root account on
>> it and this was fine in S3.
>
> OK, you do not need any other users on the server and as long as there
> is nowhere for the users to call home, they will not be able to login.
> Having said that, the computer needs to authenticate users & groups
> from AD, this is where PAM comes in and you need PAM and kerberos to
> connect to an AD DC.
>
>>
>> Before I change anything, I would like to know what that keytab file
>> does. Just playing it safe. If I do not understand it I will not be
>> able to support it. Thanks for your time and effort, I do appreciate it.
>
> If you are going to get involved with AD, you need to get involved
> with kerberos and keytabs, this subject is a bit involved to go into
> here, but you could start here:
>
> https://itservices.stanford.edu/service/kerberos/keytabs
>
> After that, perhaps the samba wiki and there is always the internet ;-)
>
> Rowland
>
>
>>
>> On 07/29/2014 03:50 AM, Rowland Penny wrote:
>>> On 28/07/14 23:33, Ryan Ashley wrote:
>>>> More information in another winbind log. I attempted to login to a
>>>> remote Windows 7 box with a normal user account which is in both
>>>> groups and should get both drives. Windows logs access denied and
>>>> does not map the drives, and I get this in the logs. At this point
>>>> I am fairly sure winbind is having issues speaking to the DC due to
>>>> a missing module which I can find nothing about online. I did use
>>>> Google for a while today and cannot find a match for the phrases
>>>> below, so I am stuck.
>>>>
>>>> log.wb-TRUEVINE:
>>>> [2014/07/28 18:24:52.880743, 3]
>>>> ../source3/winbindd/winbindd_ads.c:597(query_user)
>>>> ads: query_user
>>>> [2014/07/28 18:24:52.883979, 1]
>>>> ../source3/winbindd/winbindd_ads.c:710(query_user)
>>>> nss_get_info_cached failed: NT_STATUS_NOT_FOUND
>>>>
>>>> log.winbind-idmap:
>>>> [2014/07/28 18:24:52.883979, 3]
>>>> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>>>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
>>>> expiration Mon, 28 Jul 2014 20:14:44 EDT
>>>> [2014/07/28 18:24:52.883991, 0]
>>>> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
>>>> Got sig[15] terminate (is_parent=0)
>>>> [2014/07/28 18:24:52.884011, 3]
>>>> ../source3/winbindd/idmap.c:230(idmap_init_domain)
>>>> idmap backend ad not found
>>>> [2014/07/28 18:24:52.884072, 3]
>>>> ../source3/winbindd/idmap.c:235(idmap_init_domain)
>>>> Could not probe idmap module ad
>>>>
>>>> On 7/28/2014 11:16 AM, Ryan Ashley wrote:
>>>>> Found the problem, I believe
>>>>>
>>>>> [2014/07/28 10:14:44.828015, 3]
>>>>> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>>>>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
>>>>> expiration Mon, 28 Jul 2014 20:14:44 EDT
>>>>> [2014/07/28 10:31:37.274435, 0]
>>>>> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
>>>>> Got sig[15] terminate (is_parent=0)
>>>>> [2014/07/28 11:02:32.032341, 3]
>>>>> ../source3/winbindd/idmap.c:230(idmap_init_domain)
>>>>> idmap backend ad not found
>>>>> [2014/07/28 11:02:32.051673, 3]
>>>>> ../source3/winbindd/idmap.c:235(idmap_init_domain)
>>>>> Could not probe idmap module ad
>>>>>
>>>>> As you can see, winbind is having issues with AD. What could cause
>>>>> this? Currently I have set share permissions in Linux to 777 and
>>>>> am running S4 4.1.10 from the v4-1-stable branch. Is this
>>>>> something I can fix?
>>>>>
>>>>> On 07/28/2014 10:19 AM, Ryan Ashley wrote:
>>>>>> Great, so by doing "git clone git://git.samba.org/samba.git
>>>>>> samba-master" I am by default cloning the testing branch. I am
>>>>>> going to do a checkout on stable and try again.
>>>>>>
>>>>>> On 07/28/2014 10:11 AM, Rowland Penny wrote:
>>>>>>> On 28/07/14 15:00, Ryan Ashley wrote:
>>>>>>>> Odd, but it says I am using 4.2.0, which is higher than 4.1.8.
>>>>>>>>
>>>>>>>> root at fs01:/usr/src/samba-master# samba-tool -V
>>>>>>>> 4.2.0pre1-GIT-d097898
>>>>>>>> root at fs01:/usr/src/samba-master# winbindd -V
>>>>>>>> Version 4.2.0pre1-GIT-d097898
>>>>>>>> root at fs01:/usr/src/samba-master# nmbd -V
>>>>>>>> Version 4.2.0pre1-GIT-d097898
>>>>>>>> root at fs01:/usr/src/samba-master#
>>>>>>>>
>>>>>>>> I normally clone, configure, and build. Is the stable branch
>>>>>>>> not default? Am I building a testing branch? Should I checkout
>>>>>>>> on the stable branch?
>>>>>>>>
>>>>>>>> On 07/28/2014 09:50 AM, Rowland Penny wrote:
>>>>>>>>> On 28/07/14 14:41, Ryan Ashley wrote:
>>>>>>>>>> Alright, I was poking around this morning trying to make this
>>>>>>>>>> work, and noticed something odd. Loads of zombie nmbd
>>>>>>>>>> processes. Check out the dump below and tell me, what is
>>>>>>>>>> going on here? Is this my problem?
>>>>>>>>>>
>>>>>>>>>> root at fs01:~# ps x
>>>>>>>>>> PID TTY STAT TIME COMMAND
>>>>>>>>>> 1 ? Ss 0:02 init [2]
>>>>>>>>>> 2 ? S 0:00 [kthreadd]
>>>>>>>>>> 3 ? S 0:00 [ksoftirqd/0]
>>>>>>>>>> 5 ? S 0:00 [kworker/u:0]
>>>>>>>>>> 6 ? S 0:00 [migration/0]
>>>>>>>>>> 7 ? S 0:01 [watchdog/0]
>>>>>>>>>> 8 ? S< 0:00 [cpuset]
>>>>>>>>>> 9 ? S< 0:00 [khelper]
>>>>>>>>>> 10 ? S 0:00 [kdevtmpfs]
>>>>>>>>>> 11 ? S< 0:00 [netns]
>>>>>>>>>> 12 ? S 0:00 [xenwatch]
>>>>>>>>>> 13 ? S 0:00 [xenbus]
>>>>>>>>>> 14 ? S 0:01 [sync_supers]
>>>>>>>>>> 15 ? S 0:00 [bdi-default]
>>>>>>>>>> 16 ? S< 0:00 [kintegrityd]
>>>>>>>>>> 17 ? S< 0:00 [kblockd]
>>>>>>>>>> 19 ? S 0:00 [khungtaskd]
>>>>>>>>>> 20 ? S 0:00 [kswapd0]
>>>>>>>>>> 21 ? SN 0:00 [ksmd]
>>>>>>>>>> 22 ? SN 0:00 [khugepaged]
>>>>>>>>>> 23 ? S 0:00 [fsnotify_mark]
>>>>>>>>>> 24 ? S< 0:00 [crypto]
>>>>>>>>>> 173 ? S 0:00 [jbd2/xvda1-8]
>>>>>>>>>> 174 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 183 ? S 0:00 [kworker/u:1]
>>>>>>>>>> 313 ? Ss 0:00 udevd --daemon
>>>>>>>>>> 420 ? S 0:00 udevd --daemon
>>>>>>>>>> 425 ? S 0:00 udevd --daemon
>>>>>>>>>> 433 ? S 0:00 [khubd]
>>>>>>>>>> 438 ? S< 0:00 [kpsmoused]
>>>>>>>>>> 445 ? S< 0:00 [ata_sff]
>>>>>>>>>> 471 ? S 0:00 [scsi_eh_0]
>>>>>>>>>> 472 ? S 0:00 [scsi_eh_1]
>>>>>>>>>> 1295 ? S 0:00 [jbd2/xvda2-8]
>>>>>>>>>> 1296 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1297 ? S 0:01 [flush-202:0]
>>>>>>>>>> 1298 ? S 0:00 [jbd2/xvda9-8]
>>>>>>>>>> 1299 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1300 ? S 0:00 [jbd2/xvda10-8]
>>>>>>>>>> 1301 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1302 ? S 0:00 [jbd2/xvda8-8]
>>>>>>>>>> 1303 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1307 ? S 0:00 [jbd2/xvda11-8]
>>>>>>>>>> 1308 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1309 ? S 0:00 [jbd2/xvda3-8]
>>>>>>>>>> 1310 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1311 ? S 0:00 [jbd2/xvda4-8]
>>>>>>>>>> 1312 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1313 ? S 0:00 [jbd2/xvda5-8]
>>>>>>>>>> 1314 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1315 ? S 0:00 [jbd2/xvda6-8]
>>>>>>>>>> 1316 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1317 ? S 0:00 [jbd2/xvda7-8]
>>>>>>>>>> 1318 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1319 ? S 0:00 [jbd2/xvdb1-8]
>>>>>>>>>> 1320 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>> 1780 ? Sl 0:00 /usr/sbin/rsyslogd -c5
>>>>>>>>>> 1811 ? Ss 0:00 /usr/sbin/acpid
>>>>>>>>>> 1903 ? Ss 0:00 /usr/sbin/cron
>>>>>>>>>> 1998 ? Ss 0:00 /usr/sbin/sshd
>>>>>>>>>> 2022 tty1 Ss+ 0:00 /sbin/getty 38400 tty1
>>>>>>>>>> 2023 tty2 Ss+ 0:00 /sbin/getty 38400 tty2
>>>>>>>>>> 2024 tty3 Ss+ 0:00 /sbin/getty 38400 tty3
>>>>>>>>>> 2025 tty4 Ss+ 0:00 /sbin/getty 38400 tty4
>>>>>>>>>> 2026 tty5 Ss+ 0:00 /sbin/getty 38400 tty5
>>>>>>>>>> 2027 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
>>>>>>>>>> 2041 ? Ss 0:03 nmbd
>>>>>>>>>> 2043 ? Ss 0:03 smbd
>>>>>>>>>> 2045 ? Ss 0:00 winbindd
>>>>>>>>>> 2046 ? S 0:02 winbindd
>>>>>>>>>> 2047 ? S 0:00 winbindd
>>>>>>>>>> 2048 ? S 0:00 winbindd
>>>>>>>>>> 2049 ? S 0:00 smbd
>>>>>>>>>> 2067 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2085 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2109 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2127 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2145 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2163 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2185 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2203 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2223 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2241 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2263 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2281 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2299 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2317 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2339 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2357 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2375 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2393 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2415 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2433 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2451 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2469 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2491 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2509 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2527 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2545 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2567 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2585 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2603 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2621 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2643 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2661 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2679 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2697 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2719 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2737 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2755 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2773 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2795 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2813 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2831 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2849 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2871 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2889 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2907 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2925 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2946 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2964 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 2982 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3000 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3022 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3040 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3058 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3076 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3098 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3116 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3134 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3152 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3174 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3192 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3210 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3228 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3250 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3268 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3285 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3303 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3325 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3343 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3361 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3380 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3402 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3420 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3438 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3456 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3574 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3592 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3610 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3628 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3650 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3668 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3686 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3704 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3726 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3744 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3762 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3780 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3802 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3820 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3838 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3856 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3878 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3896 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3914 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3932 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3954 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3972 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 3990 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4008 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4030 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4048 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4066 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4084 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4106 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4124 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4142 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4160 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4182 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4200 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4220 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4238 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4261 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4279 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4297 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4315 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4337 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4355 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4373 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4391 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4413 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4431 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4449 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4467 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4489 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4507 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4525 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4543 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4565 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4583 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4601 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4619 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4641 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4659 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4677 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4694 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4716 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4734 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4752 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4770 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4792 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4811 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4829 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4847 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4869 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4887 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4905 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4923 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4945 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4963 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4981 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 4999 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5021 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5039 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5057 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5075 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5097 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5115 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5133 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5151 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5173 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5191 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5209 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5227 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5249 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5267 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5285 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5303 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5325 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5343 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5361 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5379 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5525 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5543 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5571 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5589 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5611 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5630 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5648 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5666 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5688 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5706 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5724 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5742 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5764 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5782 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5800 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5818 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5840 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5858 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5876 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5894 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5916 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5934 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5952 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5970 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 5992 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6010 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6028 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6046 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6068 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6086 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6104 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6122 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6144 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6161 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6179 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6197 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6219 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6238 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6256 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6274 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6296 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6314 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6332 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6350 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6372 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6390 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6408 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6426 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6448 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6466 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6484 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6502 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6524 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6542 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6560 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6578 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6600 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6618 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6636 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6654 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6676 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6694 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6712 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6730 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6752 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6770 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6789 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6807 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6829 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6847 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6852 ? S 0:01 [kworker/0:0]
>>>>>>>>>> 6867 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6885 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6906 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6924 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6942 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6960 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 6982 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7000 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7018 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7036 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7058 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7076 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7094 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7112 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7134 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7152 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7170 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7188 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7210 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7228 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7246 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7264 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7286 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7304 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7322 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7340 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7458 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7476 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7494 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7512 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7534 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7552 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7569 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7587 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7609 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7627 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7645 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7665 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7676 ? S 0:00 [kworker/0:2]
>>>>>>>>>> 7687 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>> 7697 ? Ss 0:00 sshd: root at pts/0
>>>>>>>>>> 7699 pts/0 Ss 0:00 -bash
>>>>>>>>>> 7711 ? S 0:00 [kworker/0:1]
>>>>>>>>>> 7718 ? S 0:00 [flush-202:16]
>>>>>>>>>> 7721 pts/0 R+ 0:00 ps x
>>>>>>>>>>
>>>>>>>>>> On 07/28/2014 09:18 AM, Ryan Ashley wrote:
>>>>>>>>>>> I have never even played with apparmor. I do my Debian
>>>>>>>>>>> installs using a net CD and doing the expert 64bit install.
>>>>>>>>>>> I disable recommended and suggested packages and install
>>>>>>>>>>> only exactly what I need, so I do not have apparmor or
>>>>>>>>>>> selinux. Good thought though. I also tried disabling the
>>>>>>>>>>> firewall on a test PC and still no go. This has NEVER
>>>>>>>>>>> happened before so I am lost.
>>>>>>>>>>>
>>>>>>>>>>> So where else should I look? The system in question is a
>>>>>>>>>>> domain member server, can resolve users and groups, and can
>>>>>>>>>>> set ACLs with user and groups from AD. It is simply denying
>>>>>>>>>>> access to group members of said shares.
>>>>>>>>>>>
>>>>>>>>>>> On 07/28/2014 05:02 AM, Rowland Penny wrote:
>>>>>>>>>>>> On 27/07/14 16:28, Ryan Ashley wrote:
>>>>>>>>>>>>> I understand and I should have stated more clearly that I
>>>>>>>>>>>>> have been going through those results for over a week now.
>>>>>>>>>>>>> Nothing seems to help. Funny thing is that creating a
>>>>>>>>>>>>> second virtual file-server and using share authentication
>>>>>>>>>>>>> works fine. Yet another reason I am leaning towards group
>>>>>>>>>>>>> issues. If the file-server is share-level the Windows 7
>>>>>>>>>>>>> boxes are happy. As soon as it goes AD and uses AD groups,
>>>>>>>>>>>>> they stop working. I have not tried user-level security
>>>>>>>>>>>>> yet. Then again I may have user-level and share-level
>>>>>>>>>>>>> confused. It has been a long week. I will keep searching
>>>>>>>>>>>>> but so far nothing I have found and tried works.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Is there a way to get an actual reason for the denial? If
>>>>>>>>>>>>> it flat-out told me a reason I could troubleshoot. Right
>>>>>>>>>>>>> now I am just shooting in random directions hoping to hit
>>>>>>>>>>>>> something since all I get is "Access Denied". Is it
>>>>>>>>>>>>> possible to see is S4 is denying the connection via a log
>>>>>>>>>>>>> or something, or if Windows 7 is being stupid... again?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 7/27/2014 10:57 AM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 27/07/14 15:15, Ryan Ashley wrote:
>>>>>>>>>>>>>>> That solution is for Windows 8. That also is not our
>>>>>>>>>>>>>>> issue. The WIndows 7 Pro 64bit workstations see the
>>>>>>>>>>>>>>> server and shares, and they map the shares according to
>>>>>>>>>>>>>>> group policy, but then everybody gets access denied,
>>>>>>>>>>>>>>> despite being in the domain groups for which the shares
>>>>>>>>>>>>>>> were created. Funny thing is that if I logon as domain
>>>>>>>>>>>>>>> admin, I get to access the shares. Due to this, I fully
>>>>>>>>>>>>>>> believe the S4 server is ignoring or not accounting for
>>>>>>>>>>>>>>> group membership. The "reachfp" account is the domain
>>>>>>>>>>>>>>> admin. This is also the default owner of files on the
>>>>>>>>>>>>>>> shares. The group "administration" contains many members
>>>>>>>>>>>>>>> and does not grant access, despite the group being
>>>>>>>>>>>>>>> granted full control. This lead e into believing I am
>>>>>>>>>>>>>>> still dealing with a permissions issue and not another
>>>>>>>>>>>>>>> issue. If it was the other issue, I would assume domain
>>>>>>>>>>>>>>> admin could not see the share or access it. Is that
>>>>>>>>>>>>>>> about right?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You are missing the point, I probably could have chosen a
>>>>>>>>>>>>>> better target but I only spent about 30secs on the search:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> windows 7 64 bit access denied samba
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This returns About 116,000 results, here's another one:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Try looking into this before dismissing it out of hand
>>>>>>>>>>>>>> and insisting that samba is the problem.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>> OK, after more thought and re-reading your posts, a thought
>>>>>>>>>>>> has popped into my head, apparmor, do you have this running
>>>>>>>>>>>> on the server ?
>>>>>>>>>>>> I have been caught out by this a few times, not being
>>>>>>>>>>>> allowed to do things that I thought I should be able to do,
>>>>>>>>>>>> or packages not running correctly because they were not
>>>>>>>>>>>> allowed access, in every case it was apparmor. As I could
>>>>>>>>>>>> never get apparmor to play ball with me (I thought that I
>>>>>>>>>>>> had found all rights that needed modding and then another
>>>>>>>>>>>> one would pop its head up and what is in the logs bares no
>>>>>>>>>>>> resemblance to what you need to put in the conf file), I
>>>>>>>>>>>> now disable apparmor straight after installing a new system.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Somebody else reported this problem, he went to 4.1.8 and the
>>>>>>>>> zombie nmbd problem went away, if you upgrade to the latest
>>>>>>>>> samba4 you may hit two birds with one stone, the nmbd problem
>>>>>>>>> and your group problem ;-)
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>
>>>>>>> Hi, what you are using is not the stable branch, it is the
>>>>>>> branch that will become the next release i.e. 4.2. This does not
>>>>>>> mean that you shouldn't use it, it just means that it could be
>>>>>>> upgraded at any time until it is 'frozen' just before release.
>>>>>>> These upgrades 'could' break something, not saying they will,
>>>>>>> just that they could, for production use I would use the latest
>>>>>>> version from here:
>>>>>>>
>>>>>>> https://ftp.samba.org/pub/samba/stable/
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>
>>> Do you have all of these packages installed:
>>>
>>> samba libnss-winbind winbind libpam-winbind krb5-config libpam-krb5
>>> krb5-user
>>>
>>> If not, install what is missing and add these lines to smb.conf:
>>>
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> Restart samba and try again, you may have to join the machine to the
>>> domain again.
>>>
>>> Rowland
>>
>
More information about the samba
mailing list